libcontainer

package
v0.10.1-0...-0ade0af Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 23, 2014 License: Apache-2.0 Imports: 4 Imported by: 0

README

libcontainer - reference implementation for containers

background

libcontainer specifies configuration options for what a container is. It provides a native Go implementation for using Linux namespaces with no external dependencies. libcontainer provides many convenience functions for working with namespaces, networking, and management.

container

A container is a self contained directory that is able to run one or more processes without affecting the host system. The directory is usually a full system tree. Inside the directory a container.json file is placed with the runtime configuration for how the processes should be contained and ran. Environment, networking, and different capabilities for the process are specified in this file. The configuration is used for each process executed inside the container.

Sample container.json file:

{
   "hostname" : "koye",
   "networks" : [
      {
         "gateway" : "172.17.42.1",
         "context" : {
            "bridge" : "docker0",
            "prefix" : "veth"
         },
         "address" : "172.17.0.2/16",
         "type" : "veth",
         "mtu" : 1500
      }
   ],
   "cgroups" : {
      "parent" : "docker",
      "name" : "11bb30683fb0bdd57fab4d3a8238877f1e4395a2cfc7320ea359f7a02c1a5620"
   },
   "tty" : true,
   "environment" : [
      "HOME=/",
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "HOSTNAME=11bb30683fb0",
      "TERM=xterm"
   ],
   "capabilities_mask" : [
      "SETPCAP",
      "SYS_MODULE",
      "SYS_RAWIO",
      "SYS_PACCT",
      "SYS_ADMIN",
      "SYS_NICE",
      "SYS_RESOURCE",
      "SYS_TIME",
      "SYS_TTY_CONFIG",
      "MKNOD",
      "AUDIT_WRITE",
      "AUDIT_CONTROL",
      "MAC_OVERRIDE",
      "MAC_ADMIN",
      "NET_ADMIN"
   ],
   "context" : {
      "apparmor_profile" : "docker-default"
   },
   "mounts" : [
      {
         "source" : "/var/lib/docker/containers/11bb30683fb0bdd57fab4d3a8238877f1e4395a2cfc7320ea359f7a02c1a5620/resolv.conf",
         "writable" : false,
         "destination" : "/etc/resolv.conf",
         "private" : true
      },
      {
         "source" : "/var/lib/docker/containers/11bb30683fb0bdd57fab4d3a8238877f1e4395a2cfc7320ea359f7a02c1a5620/hostname",
         "writable" : false,
         "destination" : "/etc/hostname",
         "private" : true
      },
      {
         "source" : "/var/lib/docker/containers/11bb30683fb0bdd57fab4d3a8238877f1e4395a2cfc7320ea359f7a02c1a5620/hosts",
         "writable" : false,
         "destination" : "/etc/hosts",
         "private" : true
      }
   ],
   "namespaces" : [
      "NEWNS",
      "NEWUTS",
      "NEWIPC",
      "NEWPID",
      "NEWNET"
   ]
}

Using this configuration and the current directory holding the rootfs for a process, one can use libcontainer to exec the container. Running the life of the namespace, a pid file is written to the current directory with the pid of the namespaced process to the external world. A client can use this pid to wait, kill, or perform other operation with the container. If a user tries to run a new process inside an existing container with a live namespace, the namespace will be joined by the new process.

You may also specify an alternate root place where the container.json file is read and where the pid file will be saved.

nsinit

nsinit is a cli application used as the reference implementation of libcontainer. It is able to spawn or join new containers giving the current directory. To use nsinit cd into a Linux rootfs and copy a container.json file into the directory with your specified configuration.

To execute /bin/bash in the current directory as a container just run:

nsinit exec /bin/bash

If you wish to spawn another process inside the container while your current bash session is running just run the exact same command again to get another bash shell or change the command. If the original process dies, PID 1, all other processes spawned inside the container will also be killed and the namespace will be removed.

You can identify if a process is running in a container by looking to see if pid is in the root of the directory.

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrUnkownNamespace  = errors.New("Unknown namespace")
	ErrUnkownCapability = errors.New("Unknown capability")
	ErrUnsupported      = errors.New("Unsupported method")
)

Functions

This section is empty.

Types

type Capabilities

type Capabilities []*Capability

func (Capabilities) Contains

func (c Capabilities) Contains(capp string) bool

Contains returns true if the specified Capability is in the slice

func (Capabilities) Get

func (c Capabilities) Get(capp string) *Capability

type Capability

type Capability struct {
	Key     string         `json:"key,omitempty"`
	Enabled bool           `json:"enabled"`
	Value   capability.Cap `json:"value,omitempty"`
}

func GetCapability

func GetCapability(key string) *Capability

func (*Capability) String

func (c *Capability) String() string

type Container

type Container struct {
	Hostname         string          `json:"hostname,omitempty"`          // hostname
	ReadonlyFs       bool            `json:"readonly_fs,omitempty"`       // set the containers rootfs as readonly
	NoPivotRoot      bool            `json:"no_pivot_root,omitempty"`     // this can be enabled if you are running in ramdisk
	User             string          `json:"user,omitempty"`              // user to execute the process as
	WorkingDir       string          `json:"working_dir,omitempty"`       // current working directory
	Env              []string        `json:"environment,omitempty"`       // environment to set
	Tty              bool            `json:"tty,omitempty"`               // setup a proper tty or not
	Namespaces       Namespaces      `json:"namespaces,omitempty"`        // namespaces to apply
	CapabilitiesMask Capabilities    `json:"capabilities_mask,omitempty"` // capabilities to drop
	Networks         []*Network      `json:"networks,omitempty"`          // nil for host's network stack
	Cgroups          *cgroups.Cgroup `json:"cgroups,omitempty"`           // cgroups
	Context          Context         `json:"context,omitempty"`           // generic context for specific options (apparmor, selinux)
	Mounts           []Mount         `json:"mounts,omitempty"`
}

Container defines configuration options for how a container is setup inside a directory and how a process should be executed

type Context

type Context map[string]string

Context is a generic key value pair that allows arbatrary data to be sent

type Mount

type Mount struct {
	Source      string `json:"source"`      // Source path, in the host namespace
	Destination string `json:"destination"` // Destination path, in the container
	Writable    bool   `json:"writable"`
	Private     bool   `json:"private"`
}

Bind mounts from the host system to the container

type Namespace

type Namespace struct {
	Key     string `json:"key,omitempty"`
	Enabled bool   `json:"enabled,omitempty"`
	Value   int    `json:"value,omitempty"`
	File    string `json:"file,omitempty"`
}

func GetNamespace

func GetNamespace(key string) *Namespace

func (*Namespace) String

func (ns *Namespace) String() string

type Namespaces

type Namespaces []*Namespace

func (Namespaces) Contains

func (n Namespaces) Contains(ns string) bool

Contains returns true if the specified Namespace is in the slice

func (Namespaces) Get

func (n Namespaces) Get(ns string) *Namespace

type Network

type Network struct {
	Type    string  `json:"type,omitempty"`    // type of networking to setup i.e. veth, macvlan, etc
	Context Context `json:"context,omitempty"` // generic context for type specific networking options
	Address string  `json:"address,omitempty"`
	Gateway string  `json:"gateway,omitempty"`
	Mtu     int     `json:"mtu,omitempty"`
}

Network defines configuration for a container's networking stack

The network configuration can be omited from a container causing the container to be setup with the host's networking stack

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL